Skip to content

[improve][broker/proxy] Optionally prevent role/originalPrincipal logging #23386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[improve][broker/proxy] Optionally prevent role/originalPrincipal logging #23386

wants to merge 9 commits into from

Conversation

KannarFr
Copy link
Contributor

@KannarFr KannarFr commented Oct 1, 2024

Motivation

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

If I missed some logs, please share them.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 1, 2024
@lhotari
Copy link
Member

lhotari commented Oct 1, 2024
edited
Loading

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

Do you have a chance to share some details of the use case where this is needed? Does the role contain sensitive information? Is this a compliance requirement to not log it?

@KannarFr
Copy link
Contributor Author

KannarFr commented Oct 2, 2024
edited
Loading

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

Do you have a chance to share some details of the use case where this is needed? Does the role contain sensitive information? Is this a compliance requirement to not log it?

We use token-based authN/authZ, so the role contains the token. This PR will remove logging them and reduce log storage as we produce like 30 log/s just for logging role content (with a 500bytes token).

@KannarFr KannarFr force-pushed the optionallyPreventRoleLogging branch from 7e68070 to 29687ce Compare October 3, 2024 11:04
@KannarFr
Copy link
Contributor Author

KannarFr commented Oct 3, 2024

@lhotari I defined two configuration keys for broker and proxy. One anonymizes using SHA-256. The other put REDACTED. Is that ok?

@lhotari
Copy link
Member

lhotari commented Oct 3, 2024

@lhotari I defined two configuration keys for broker and proxy. One anonymizes using SHA-256. The other put REDACTED. Is that ok?

@KannarFr good progress, I added review comments.

@KannarFr KannarFr force-pushed the optionallyPreventRoleLogging branch from b4c3ff3 to 368d2e4 Compare October 15, 2024 14:02
lhotari
lhotari reviewed Oct 15, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @KannarFr! 2 minor comments remaining. It would be good to document this as a PIP since most new features are documented that way. You can take a minimal approach for the PIP document and cover the relevant details that are provided in this PR.

@KannarFr KannarFr force-pushed the optionallyPreventRoleLogging branch from 7af5587 to e153616 Compare October 17, 2024 09:50
@github-actions github-actions bot added the PIP label Oct 17, 2024
@KannarFr
Copy link
Contributor Author

Great work @KannarFr! 2 minor comments remaining. It would be good to document this as a PIP since most new features are documented that way. You can take a minimal approach for the PIP document and cover the relevant details that are provided in this PR.

Done!

@lhotari
Copy link
Member

lhotari commented Oct 30, 2024

Please split the PIP document to a separate PR. That's what is usually done. The PIP document PR would get merged before the implementation PR.

@lhotari
Copy link
Member

lhotari commented Oct 30, 2024
edited
Loading

When you create the PIP document PR, please make the file name pip-XXX.md since most PIP docs have such file name. You should check the mailing list and existing PRs to find a PIP number that isn't used yet. PIP-385 is already taken.

@KannarFr KannarFr mentioned this pull request Nov 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs PIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KannarFr @lhotari